Submitted by As he had already predicted, cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition. “It took a couple of seconds. They clicked on the link and I took control of the machine,” Miller said after his accomplishment. He took home the USD 10000 prize, as well as the MacBook he performed the exploit on. Internet Explorer 8 fell a while later by cracker Nils, who also cracked Safari and Firefox after being done with IE8.
Miller cracked Safari running on a fully patched installation of Mac OS X on a MacBook. The details of the exploit will not be given out until Apple has published a patch to ensure that others don’t run with the exploit and abuse it. This is the second year in a row that Safari on the Mac is the first to fall in the PWN2OWN contest, again by Miller’s hands.
A while after, Internet Explorer 8, running on Windows 7, also fell. Windows 7 was running on a Sony Vaio P, and was cracked by a cracker named Nils, who wishes to remain anonymous. He also won a cash prize and got to keep the Vaio P. Several Microsoft security folk were on sight to witness the exploit. This exploit is also kept under wraps until Microsoft releases a patch. Later on, Nils also broke into Safari (Mac) and Firefox.
All the cracks happened on day one of the contest, which means the operating systems and browsers were fully patched, with no additional plugins loaded. So far, only Chrome hasn’t been cracked yet, but that probably won’t take long, seeing how quick the first browsers were exploited.
The phones do not appear to have been cracked yet, so that contest is still underway.
All I have to say is it couldn’t happen to a more deserving company. Apple elitist attitude just astonishes me.
A good example of this is the charge of $10 to enable bluetooth on itouch players.
http://www.dailytech.com/article.aspx?newsid=14611
Of course I am still interested in seeing if firefox and internet explorer will get cracked, but this just takes the cake for me.
Edit:ugg, not as great as I thought.
http://blogs.zdnet.com/security/?p=2934
looks like all of them fell, so… Whatever at least apple went first.
Edited 2009-03-19 07:13 UTC
I’m surprised Safari fell first… Nothing about Opera. Maybe it’s not unsecure enough for the fun
http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=6221…
Wow, I guess I have to throw out my (family’s) three stable/reliable/worry-free MacBooks now and switch back to the Windows/PC nightmare
Look, Mac hardware/software is not perfect, but its much better than PC/Windows security defense routine, and the annual Windows reformat.
I don’t know anybody who does that, and I don’t see a reason to. Well, maybe except if you somehow have the irresistible urge to install and test any software you stumble across.
It’s a myth, so stop spreading that.
I do it every year. Of course I just image it in 20 minutes using free tools, because reformatting and building from scratch would be uncivilized.
i have to do that to peoples PCs after they fill the harddrive with windows malware
What have Apple’s pricing decisions to do with the security of their browser exactly??
Do it like me: If you don’t want to spend that money, then just don’t!
You make it sound as though all you get for your $10 is bluetooth, which is completely untrue.
Apple’s not doing anything other software companies haven’t done before.
How embarrassing – not being able to spell embarrassing.
I’m not surprised that it has happened; Apple hasn’t seemed to learn a single thing; they introduce garbage collection with Objective-C and yet none of the components of Mac OS X use it, they introduce ASRL and again very few components use it.
It will be interesting to see how it was cracked – and hopefully Apple will wake up and do something about the security issues in Safari and Quicktime (which is another one which has had numerous security alerts).
I think it’ll be quite a few years before we see Objective-C 2.0 adopted throughout all of Apple’s software. I mean, look at .NET and how prevalent it is in Microsoft’s offerings. A decade after it’s been introduced, the majority of their software is still Win32.
I hope Apple will spend considerably more effort in pushing Objective-C 2.0 adoption.
Garbage collection alone does not increase security. And Objectve-C 2.0 runs only on Leo, but Safari has to work on 10.4, too.
Obj-C 2.0 is just the language, the compiled binaries can work on 10.4, only XCode 3 requires Leopard. Garbage Collection is opt-in on Leopard, and a separate binary for 10.4 wouldn’t include it.
As you said:
a separate binary.
I doubt that Apple would release two versions of Safari for OS X
Well The issue with .Net is it is vm based, I have been using VM based languages for a long time now, and I would not see any reason to move vital parts of an os infrastructure towards a VM especially if it works well. (except for portability reasons) you will get a huge speed hit and memory consumption goes through the roof. It might be interesting for new applications but moving legacy code over is sort of a no go.
Same goes for apple although introducing GC only has minor impacts on mem consumption and speed, there is simply no reason to do it! Newer code can be programmed against it older code probably which never will be touched again except for bugfixing once in a while does not make sense to be ported over!
The problem in the case of .net isn’t performance, it is several thousand man years worth of legacy code. Anything new is done in .net.
Anything in the GAC (global assembly cache) only gets loaded once, which includes the core libraries. Also, there is only ever one runtime running (as opposed to java/ruby/python/etc), and individual programs are segregated into “AppDomains” under that single runtime.
Except when it isn’t.
Application domains can be used to host multiple applications inside a single OS process. However, the app domains are implemented as multiple copies of the .NET VM running inside a single process. Even if you have a single process with 10 application domains, you still have multiple VMs, which are deliberately kept isolated from one another. Big deal – pretty much any VM runtime can do that.
That’s how the .NET VM is hosted inside SQL Server, how it’s used in IIS for ASP.NET websites, and how it’s hosted as a COM object inside other applications.
However, that’s not how most .NET applications run. If you run a .NET application, a new process will be created, creating a new instance of the .NET VM along with it.
What it can do is pre-compile the assemblies in the GAC to native code. That way, the native code can be shared by any application using it – the runtime just mmaps the code to memory, and the OS just maps the same block of memory into each VM’s address space.
That’s something that other VMs don’t do yet, although I believe Sun were working on some sort of JIT cache for Java that’d perform the same role.
You learn something new every day
I was under the impression that while appdomains were heavy, it was less overhead then to run multiple java apps. Guess there isn’t all that much of a difference other then the shared memory bit.
I’m not surprised because they attacked the browser. Lame.
Browsers have to parse a near infinite combination of good and bad HTML, Javascript and many other formats. The browser is the biggest and most potential attack surface a hacker has to play with.
Seriously, cracking browsers is boring — I wanted to see direct attacks against the OS and *then* see how well it stands up. Remember the Mac Mini that was left open to the net for 48 hours? 500’000 direct attacks, and not one successful.
Weakest link in the chain, Kroc.
A self-propagating Mac virus is not going to be very successful unless it can spread via other means than just the browser. It may enter via the browser, but going machine to machine is going to need to be more clever than that.
The patch for this flaw will be released, and this whole thing would have been nothing but one big ego-trip for the hacker, with no profound meaning.
Are we to expect to shower the grey-hats and white-hats with attention and prizes for every browser bug they find? No, finding and reporting browser bugs should be humble work, and many hackers are humble enough to do it this way, letting the vendor know early and giving them time to resolve the issue.
This competition is just to sensationalise and rile up the haters and the ignorant over a matter that should be handled much better.
— PS. Both Webkit and Gecko are open source engines, if the guy weren’t a pr!ck, then he would have filed the bugs and provided patches. This competition just waves money in front of hackers faces and says “Hey, don’t contribute to the safety of everybody online, when you can have all this money, and your name splashed across the news for days!”.
This is disrespectful to the end user, the person who we tend to forget, is the most important person in front of the computer.
Edited 2009-03-19 08:14 UTC
Huh? “the most important person in front of the computer”?
Probably for companies that have to care about their market share. But for some random Joe Hacker?
As a tech professional and an end user, I think things that benefit my computing experience are pretty important.
My grief with large software companies is not that they are successful but that they continue to make decisions in favor of the shareholders at the expense of the end user. A better balance between profits and product quality could be struck but that doesn’t maximize shareholder equity payouts.
Apple has a vested interest in appearing invulnerable. It’s BS marketing and company insecurity but the network stack bug that “didn’t exist”… They braught in lawyers to silence the researchers that tried to report it. Then quietly a month later, a patch for the network stack and drivers apears in the osX Update utility. Microsoft also suffers from the idea that publicly announced bug counts are a discredit to marketing so it’s more important to push blame on to third party developers rather than fix the OS flaw that the third party apps keep getting exploited through. Neither of these things benefits the end user.
As an end user, I want new features to benefit me rather than be purely to give the appearance of a new product we all have to upgrade too. As a technology professional, I want things that make my users computing life easier and safer. As a security professional specifically, I’d like nothing more than to work myself out of a job. My goal is to arrive at work and find out that there are no risks to mitigate or future risks to plan for because of end user education and product quality; luckily, I have many years of employment before that’s likely to happen.
It’s all about the end user; either myself or the people I support. (but yeah, it’s sad that the end user is just a wallet to come of the biggest retailers)
On that we can agree. It even has an incredible lame name to prove it.
The browser is also one of the most likely targets for an exploit, precisely because it’s often so vulnerable and because it is one of the most used components of the operating system. No matter how boring it is, it’s still significant, and full os security isn’t worth jack if the browser is insecure.
Who cares when you can take *control of the machine* via the browser?
I’d be curious to see what the system setup was as I didn’t see that in the original article.
Was this user an admin user or a non-privileged user? Does that matter for the exploit (guess we’ll find out when the patch is deployed)
Being the first to fall really doesn’t mean much to me, all it means is that someone with a working exploit went to that machine first, vs the other machines. I see Safari, IE and Firefox all went down today…
Pretty poor excuse giving fact that browser is most used program in any computer and major reason why so many people use computers in home.
In order to remotely attack a machine you need a way to deploy that attack. These days most operating systems (even windows) have realized that keeping alot of default ports open (listening) is stupid. So the best way to deploy your attack is pretty much through the web.
However some things bother me with this, they claim that they can take full control of the machine through the webbrowser, how exactly can they do that if the browser is running in userland under an account with user privileges? The way I see it they can only utilize the power given to the account which the browser is running under unless they also have some OS privilege-elevation exploit aswell?
Or are all these browsers being run under administrator privileges (which is pretty stupid)?
Windows XP – ~90% market share. Default user account is in the administrator’s group. So the browser runs as this user, which is basically an administrator. Therefore ~90% of computer users run their web browsers with administrative privileges (or equivalent).
I hear that osX isn’t too hard against privileged escalation. Anyone know if “unapproved” applications will still run simply by changing the identifier text file within the program’s directories? (seen as a single object when only viewed through Finder)
It’ll be interesting to see the details of the exploits used if/when they become available.
Rules of the game was clear: is not about to make user escalation, is about to get user data. And this without anything than a click on a link. Which is pretty shameful. What if I click on OSMEVS.COM and someone read all my home folder? Is not a funny experience!
Whether someone robs your house by getting through the front door or through one of the windows; to claim that it is ‘boring’ that they got through the window instead of breaking down your super re-enforced door is an attempt to ignore what just happened – you’ve just been robbed!
Apple has sandbox technology, why isn’t Safari running in the sandbox which some of services run in? why doesn’t Quicktime operate in the sandbox? again, Apple has the technology but they aren’t taking advantage of it.
You know that the browser is probably the application doing most communication to the outside world running on the average desktop?
It makes perfectly sense to go after it. Maybe a browser really is the hardest application to harden. Still it also is the most important one.
You forgot one thing, the components of osx are way older than the GC in objective C they are proven well running code. So why change them just to get a speed hit introduced by GC…
GC does not do a single thing to improve security btw… it makes programs only more stable to some degree by taking over the memory freeing.
The biggest thing to add security is to add strings which have clear boundaries to a language. One of the reasons why C based programs are so inherently insecure are their handling of strings as glorified pointers. Sure there are routines for string copying which prevent the buffer oferflow issues introduced by such data structures, but languages like pascal, modula and others didnt have them in the first place…
GC does not help there either. Dont get me wrong I am a huge fan of GC I use it from day to day base and have been using it for more than a decade, but blaming Apple for not moving old legacy code over to new GC at a time the legacy code is stable and runs will is idiotic!
“It will be interesting to see how it was cracked – and hopefully Apple will wake up and do something about the security issues in Safari and Quicktime”
You say that and in the same time IE and Firefox were also compromised. How does your point make any sense here?
” contest by cracking Safari and Mac OS X within seconds of the start of the competition.”
BS, his job is to find security holes, he surely spend plenty of time to find this one, saying that he did this in x or y second for sensationalism does not make any sense as he had tested before if the exploit works. The only thing that he needed was someone to click where he wanted it.
“This is the second year in a row that Safari on the Mac is the first to fall in the PWN2OWN contest, again by Miller’s hands.”
The order is not important here because they all fell in the same stage of the context. Because Miller demonstrated the his exploit first does not make that Safari fell first. You make is it sound that Safari fell first and therefore it is less secure but the fact is that IE or Firefox fell exactly in the same manner, regardless who performed the exploit first.
“So far, only Chrome hasn’t been cracked yet, but that probably won’t take long”
Humm, the flaw in Safari is probably in webkit, Chrome is probably also affected.
I said that he had cracked Safari within seconds of the competition. This is 100% fact, and there’s nothing sensationalistic about it. It would be sensationalism if I had written something like “Safari Cracked within Seconds, Apple Most Insecure Company EVARR!!!”
But I didn’t. This article is simply a lineup of facts. Like it or not. As usual, you are trying to shoot the messenger.
Why is it always the messenger shooting with you Apple folk? I didn’t say ANYTHING about who is less secure than the other! You are just making stuff up now.
This is a simple listing of facts of how the contest went. That’s all. I can’t help it that your pet company’s browser was the first to fall again. Only with Apple fans can journalists/bloggers be blamed for a possible Cupertino screw up.
Doesn’t have to be WebKit, but could be.
Edited 2009-03-19 08:32 UTC
Thom, your reading comprehension is too low to catch this fact mentioned in the article:
He went out of his way to test the exploit before the contest to make sure it would work every time.
In other words, he did not pwn Safari on the spur of the moment in a few seconds! He went to the contest with a known-good exploit that was well-tested long before he ever walked in the door.
That being said, I’d truly love to know exactly what control over the machine he had as a result of that, as the ZDNet article is rather vague beyond stating that. I’m imagining that unless he got the user to enter their password, it wasn’t quite as “total” as stated: if you can’t enter the password for certain things, or do something to configure things such that you don’t need it, it isn’t truly total control over the machine, but it can still at least be very damaging to that user’s accounts.
I know.
Read what I wrote: “cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition.”
And that’s 100% accurate, exploit in hand or not.
You can lie by telling something which is wrong, but also by filtering the facts. And you are not the messenger: you have written the article.
Dude, it is obviously deceiving. What it sounds like is that he came unprepared and figured out how to crack Safari in seconds while in fact he had prepared the exploit beforehand.
Well, it’s quite possible the other guys had also prepared for the browsers they worked on.
Yeah, I was also wondering how he got control over the machine from the browser. Running code, sure, but that would still only be under the user account.
Then again, having “root” isn’t what most malware is interested in anyway.
Aside from not being able to change system files and configurations it can still be quite damaging. You can still run botnets from a user account, for example.
Edited 2009-03-19 11:42 UTC
All of them had. The ones that didn’t win didn’t have any good exploit or had one but a recent patch had fixed it.
Nobody can find and exploit a bug in minutes, or even hours unless the bug is very noobish and can be found easily.
It’s not 1983 anymore.
I am sincerely surprised by IE8/Win7 both falling. While IE8 was bound to be broken as any other browser, I thought IE in windows Vista+ ran in sandbox mode, or is that something you have to enable?
Maybe the sandbox isn’t sandproof?
It depends on the contest requirements. The IE Protected Mode allows reads (but not writes).
As is stated in the first sentence of the summary. This story has been covered here before so I guess Thom’s just assuming we’re all familiar with the facts (and it sounds like we are).
I think this competition is more about encouraging white hat hacking than exposing security flaws. So no point bickering about the results – they only prove that Charlie Miller knows his stuff.
Was there no Linux machine in the contest this year? Last year it went uncracked, didn’t it? I’d really love to see someone crack a Linux machine in a contest like this, because well publicised exploits can only make it stronger. My money is on Adobe being responsible for the exploit that gives us Linux users our first real malware scare.
I was wondering just that. Why is there no GNU/Linux box this year? Could it be that it’s too secure to even show up? I know it’s not because of that, so don’t mod me down as it’s just a joke.
http://www.appleinsider.com/articles/09/03/19/mac_security_research…
From the article above:
That fact highlights that, in reality, the platforms and browsers involved aren’t targeted by a series of equal attacks. Instead, researchers arrive with exploits they hope to use against vulnerabilities they are aware of in specific platforms or browsers, but have not yet reported. Were they to report the exploits in advance, they would be patched by the vendor. There’s no money in that, so the contest provides an incentive to report vulnerabilities.
If it’s all so money motivated, perhaps Apple should simply pay Charlie Miller $500 every time he finds a valid security hole in an Apple application. Since he seems to be so good at it, they should take advantage of it. That would be cheaper for them than having headlines like this, which is likely to cost them a few Mac purchases (but not that many).
Edited 2009-03-19 08:44 UTC
Definitely true. Which is why Microsoft is actively seeking out people like Miller and paying/employing them to do just that,and it’s also why they actually had people present during the contest. That’s what we call an active security policy.
But let’s face it, Microsoft needed such a policy. Vista and 7 are doing much better now, though. Apple has had no reason to do this, and this exploit probably doesn’t really change anything about that. This exploit might be fun and all, but it doesn’t really change the fact that Mac OS X is still pretty secure.
Then again, so are Linux, Vista, and 7. Security is no longer really a reason to specifically pick either of those (well, unless Microsoft stays in retard mode and doesn’t fix the broken UAC in Windows 7).
Edited 2009-03-19 08:49 UTC
I call BS.
I attended the chaos communication congress in berlin a few times and talked to people who exploit systems for a living and they say if you want to be really safe you have to use a system with little marketshare and with great security.
That is why in the real world you are way way more secure running a Linux distro with SELinux enabled throughout (like Fedora) or AppArmor, Smack etc. Or maybe even better OpenBSD (similar security, even less marketshare)
Edited 2009-03-19 09:51 UTC
That is true(only marketshare has nothing to do with it as long as you don’t use windows), but most people get carried away by benchmarks. OpenBSD won’t ever compare favorably to Windows or vanilla Linux in benchmarks. And people want their games and browsers and videos at 3000 fps.
If you want your OS to be used, you cannot start putting canaries in your stack, making allocations with byte granularity and randomizing the positions of everything.
Linux has gotten a bit better lately, and there is SELinux(ahem), but I don’t see a default Ubuntu installation ever including half of it.
As long as you can more or less follow an introduction to Hacking tutorial with your OS it means it is insecure as hell and you are just lucky of not having been targeted yet.
Once more for the hard of hearing: Safari was taken down, yes, but not in seconds. The guy spent hours, days, weeks, maybe months looking for this whole, then even more time writing code that performed the exploit. Then he ran, and that apparently only took seconds. Big f–king deal.
My personal web site generation framework has I don’t know how many hundreds of hours of work put in it, but it spits out pages in usually somewhere between ten and twenty miliseconds. That says nothing about the effort involved (well, it does, in that it did take a bit of optimisation to get it to run faster).
That Firefox and IE took longer to fall just means that the people who went after them weren’t as well prepared, or possibly less talented than whatshisface here. Noone shows up to this kind of thing and then start looking for exploits.
ERGO: the non-sensationalist headline for this story would be something like “BROWSERS STILL SUCK AT THE SECURITIES”.
End message.
I’d mod you up, but I already responded. Couldn’t have said it better!
dupe post
Edited 2009-03-19 16:17 UTC
Or, more likely, it means that Safari is easier to crack, even though the Firefox an IE crackers prepared just as much as “whatshisface.”
Of course.
All of the crackers prepared in advance, and Safari was the easiest and quickest to crack.
So, the headline should read: “SAFARI ONCE AGAIN SHOWN TO BE THE EASIEST TO CRACK, IN SPITE OF APPLE FANBOYS’ ATTEMPTS TO SPIN OTHERWISE.”
End of story.
Err. There is logically no way the time it takes to EXECUTE a preprepared exploit is in no way related to how easy it is to FIND one. QED, you’re wrong.
(Also, I’m a full-time Ubuntu user. The only Macs I have around all run MacOS < 9. Or Linux.)
Edited 2009-03-19 19:31 UTC
Yes it was because it took very little time for exploit to actually do its job.
The Apple fanboys are so funny.
Yes, he did come with a pre-prepared exploit in his pocket. However, he and others did exactly the same to other operating systems and browsers and found nothing, and if they did it was very, very little. He knew he was going to be able to exploit OS X and Safari regardless of how much time he spent on it.
Yer. It really isn’t a big deal at all.
Edited 2009-03-22 00:48 UTC
Anyone know which version of Safari he cracked? Was it 3.2.1 or the 4 beta?
They used Safari 4 running on an up-to-date version of Leopard, versus the latest Windows 7 and IE8, so it’s possible that whatever bug was exploited is fixed in 10.6 or the latest WebKit nightlies, but I’d be very surprised. On the face of things it seems like a pretty fair competition.
From canwestsec.com:
On the browser side, we will be running the latest bleeding edge version of each browser platform we can get our hands on (Yes that means the Safari 4 beta, the latest build of IE8 we can get our hands on, and the upcoming FireFox release) on each of the two prize laptops (for the corresponding multi-os browsers).
So a beta browser on OS X is cracked, and a beta browser on a beta operating system is cracked (Win7).
Does anyone know if these exploits are also in the production versions of the browsers/OS’s in question? Because otherwise this feat of cracking a beta product is somewhat diminished.
I for one don’t run beta browsers or OS’s on anything other than test machines or VM’s, never in a production environment where security is a concern.
In an interview with ZDnet, Charlie Miller has stated that his exploit also works on Safari 3, and that it was one option he could have used to win last year’s competition.
Perhaps more interestingly he also claims that Mac OS X’s lack of support for No eXecute memory and address space randomization makes it much easier to exploit OS X than Windows once a bug has been identified.
that is why we spend money on dual cores and millions of GHZ and RAM!
and firefox and ie being cracked later, just shows that they are bloated and slow !!! i mean , what is this ? spectrum zx ? should i have to wait 3-5 minutes for the crack to load ? can i press the space bar ?
i am confident that my linux box can be cracked in less than one second !!! its just super fast , very stable, everything is working really good.
“It wasn’t Apple’s proprietary code in Safari that was cracked.”
http://www.appleinsider.com/articles/09/03/19/mac_security_research…
That quote refers to LAST YEAR.
my bad
although, we’ll see if it’s WebKit this year as well
Edited 2009-03-19 13:17 UTC
WebKit is Apple’s rendering engine. They contribute the most to it and by shipping it they are fully responsible for whatever bugs it contains (if a company adopts Open Source, it doesn’t make them less culpable for the bugs in it).
That’s just a sad deluded excuse and also last year’s method. There is a core to WebKit certainly, but the way it works in Safari has seen it extended with Apple’s own code and APIs and the way it is implemented on OS X. Then there is the whole DashBoard implementation which is a whole other level and another can of worms.
If it really was WebKit then we would have seen WebKit browsers on Windows, such as Chrome or even Safari, or Chrome on Linux being easy targets. We haven’t. As Miller said in TFA:
Chrome is a WebKit using browser:
Edited 2009-03-20 22:00 UTC
Like shooting fish in a barrel.
We know all the browsers have exploits, because they are massive and ridiculously complicated code bases.
We also know they are really buggy, due to the same reason. Which continues to beg the question, why do we keep building additional massive applications on top of this platform? All for the single advantage of ‘easy’ deployment.
Of course these guys had a practiced exploit in hand. That is what the competition is.
It’s like saying that Joe Football player deceived everyone because he practiced catching a football long before the game.
Let’s all quit bitching and finding reason’s why this isn’t Apple’s fault. We are not proving that a hacker can buy a mac and on his first day take over your computer in a couple seconds, it proves that if he owns a mac, and has studied it, he could proceed to take over your computer in a matter of seconds. You can argue about how you have to click his link, and how OSX users are far too smart for that, but just stop it. Take the news, brood over it if you have to, but in the end, just f–k off about it.
If a cracker can get in via the browser and can then operate after that with the full privileges of the user, that’s good enough for all practical purposes on a machine that basically has one user. Ordinary user permissions suffice to send spam or to participate in a botnet. Whining that an attack by means of the browser is somehow less serious is misguided.
It really strikes me as odd that by 2009 we still have links that can render computers completely in the control of a black hat an his botnet.
Is there something fundamental about rendering html and javascript, or is it just that browsers are an easier vector to attack since your user will be requesting data as opposed to a hacker actively port scanning and abusing poorly firewalled systems?
I’d really like to be enlightened on this further as this is far too frustrating.
Reading about man in the middle attacks and online banking sites that don’t update their certificates, to something like this basically makes me fear using the internet more than ever for anything beyond pretending to be someone I’m not and flaming people on forums.
Blah.
… Uh yeah like right now…
I wish I was being snarky but I want to brush up on some AD and test i.e. 8…
I believe that This exploit only worked because he had changed some settings in the OS then had physical access to the unit. -=- But it sells banner space.
He didn’t. The contest rules don’t allow that. Actually, the article says that a machine operator (NOT the hacker) clicked on a weblink and Miller had remote access right away. Did you read that at all?
Not every exploit is reliable. Sometimes you have checked your exploit very carefully, and they have something ever so slightly different. Some exploits are very reliable or simple and take no work or jiggling of the handle (like IIS Unicode/Code Red.) It just worked. The fact that he walked in and threw down on Safari, means it is probably a reliable exploit.
I don’t know how long it took for the other exploits, it may be telling if we find out. I’m guessing it wasn’t 10 seconds for the others. If it was, the headline would be everything pwned in 30 seconds! The IE/Windows 7 exploit was described as brilliant I think, which may mean it was not easy, or quick to execute. It may have taken several delicate steps to get access.
Headlines that bleat “hacked in seconds” from sites purporting to be somewhat expert in operating systems is a bit disingenuous. The vulnerability was found and an exploit prepared and practiced well ahead of the contest. With the canned exploit at the ready the time to hack will always be pretty damn fast, computers tend to be pretty fast.
Is it news that the security consultant found an exploit in source code openly available and kept it to himself in order to win laptop and personal glory? Maybe. Is it news that an exploit once written and practiced would execute in seconds on modern computer hardware? Not really.
Hacked in seconds? Please. As if Miller had no idea he was going to be attending a few months/years in advance?
Nice sensationalism. Bravo!